search

Chia-Network / chia-blockchain-gui

Chia blockchain GUI in electron/react
https://chia.net
Apache License 2.0
332 stars 246 forks source link

Upgraded ws to 8.17.1 and solved some issues #2415

Closed ChiaMineJP closed 3 months ago

ChiaMineJP commented 3 months ago

This PR replaces https://github.com/Chia-Network/chia-blockchain-gui/pull/2413

Why need replacing? Because

  1. with the above dependabot PR, the version of packages/gui/node_modules/ws remains 8.14.1 in package-lock.json and vulnerability still opens.
  2. ws@8.17.1 doesn't work with packages/gui since it added a conditonal exports to its own package.json like below. 
    // See https://www.npmjs.com/package/ws/v/8.17.1?activeTab=code
"exports": {
".": {
...,
"browser": "./browser.js"
}
}

    When building code with webpack, it treats electron-renderer code (mostly React components) as browser code by the above exports entry. This is the problem, since the content of ws/browser.js is

    
'use strict';

module.exports = function () { throw new Error( 'ws does not work in the browser. Browser clients must use the native ' + 'WebSocket object' ); };

So when you try to instantiate `WebSocket`, it immediately throws.

## Solutions to the above issues
1. Remove `ws` from `packages/gui` by `npm un ws -w @chia-network/gui` then re-add `ws` by `npm i ws -w @chia-network/gui`. After the re-installation, run `npm audit fix` to upgrade `ws` to vuln-free version.
2. Add the below entry to `packages/gui/webpack.react.babel.ts`

exports.module = { ..., resolve: { alias: { ws: require.resolve('ws'), // This will be .../node_modules/ws/index.js }, }, ... };

socket-security[bot] commented 3 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher

🚮 Removed packages: npm/ws@8.4.2

View full report↗︎